Inside Java 2 Platform Security, Architecture, API Design and Implementation

Jayakrishnan, who recently reviewed Java Look and Feel Design Guidelines, has returned with a review of Li Gong's Inside Java 2 Platform Security, Architecture, API Design and Implementation. With the increasing use of Java in many different situations, books like this will only increase in importance - so learn more about now, versus later. Inside Java 2 Platform Security, Architecture, API Design and I author Li Gong pages 262 publisher Addison-Wesley, 06/1999 rating 9/10 reviewer Jayakrishnan ISBN 0201310007 summary A very useful book for anyone who wants to get an in-depth knowledge of Java 2 security architecture.

The book begins with an introduction to computer and network security fundamentals. The different types of attacks, available defense mechanisms, current security models, cryptography, authentication, etc., are introduced. Chapter 2 brings you up to date with what has been happening 'til JDK 1.1 The different components of the Java security architecture such as the byte code verifier, security manager, the restrictive sandbox, signed applets, and the strong typing, etc. are briefly described.

Chapter Three, 73 pages long, explains the inner details of JDK 1.2 security architecture that provides for flexible, extensible and fine-grained access control. The important classes and their relationships are explained. Of these classes the key methods are explored in detail.

Chapter 4 and 5 talk about deployment and customization of the security architecture. Deployment involves creating policy files and using tools like keytool, policytool, jarsigner and customization involves creating new permission types and configuring the security policy. Also here you learn about how to migrate from the JDK 1.1 based security managers to JDK 1.2 based. Certain good coding practices for writing secure Java objects form the topic of Chapter 6- --Object Security. JDK 1.2 also introduces some new classes for the same SignedObject, SealedObject and GuardedObject

The generic crypto APIs of JDK along with the Java Cryptography Extension (JCE) form the Java Cryptographic Architecture which provides platform independent cryptography APIs. Chapter 7, Programming cryptography introduces the classes of the JCE. The final chapter looks into the future. Security features that are being investigated for the future releases are discussed and since the author is also the chief Java security architect, this section resembles a trailer of what is coming.

This book is for developers who are very much interested in the inner details of the JDK 1.2 architecture and system administrators who have to configure the system security policy.

Developers will in particular enjoy the discussions where the author explains the rationale behind the design of key classes and algorithms of significant methods. We get to know what were the alternatives present, from where the ideas came, and why this particular one was chosen. For example, you need only private keys to create signatures and public keys to verify them, but then why does CodeSource deal with only certificates and not public keys?

This book is not just theory; it is also rich with examples. You will learn how to create a new Permission type, use the classes of the cryptographic package or use the tools that comes with JDK, just to name a few.

Sys Admins will benefit a lot from Chapter 4, which teaches how to configure and deploy policy files. The technical depth is one of the strong points of this book but it can be overwhelming to people who would just like to get an update on what all is new. But then you can skip the sections that get into the details and benefit a lot from the breadth of knowledge that is covered. There is also an excellent bibliography.

JDK 1.2 is feature rich. The author has done a commendable job in making all of this easy to comprehend by giving a number of real-world code examples. This book is definitely not for the newbie, but for someone who knows the language and the environment, so the book could have done without the section on how to install JDK or it would have been more appropriate in the appendix. I would recommend reading the Java Security trail (http://java.sun.com/docs/books/tutorial/security1.2/index.html) of the Java Tutorial before reading this book.

On the negative side, there are syntax errors in some of the Java code given. The keyword "class" is omitted in the definition of a class. Considering the fact that this book comes "from the source", this is a serious error.

The security model that came with the original version of Java was the very restrictive sandbox model. JDK 1.1 gave us the feature of signing applets. JDK 1.2 brings a whole lot of new features and tools which allows flexible and configurable security policies. One of the factors that hinder the adoption of new technology is complexity. Books like these, which clearly explain how to use it, will definitely make the process of using these security features a lot painless.

Finally, the author gives a tip to improve the security features on MS-Windows--- restrict all applications to be 100% Java code. Till we reach that golden era, I will stick with Robert T. Morris' three golden rules to ensure computer security: do not own a computer, do not power it on, and do not use it :)

Pick this book up at ThinkGeek.